Common Badging and Access 

Control System 
(CBACS) 


Cl o\ 


People, 
Technology, & 
Information 
Working 
Together For 
NASA 


Marshall Space Flight Center 






October 4, 2005 
portia.dischinger@nasa.gov 


Explore. 

Discover. 

Understand. 






Agenda 


■ Beginning: Smart Cards 

■ Re-direction: CBACS 

■ CBACS Description 

■ CBACS Integration 

■ CBACS Deployment 

■ Milestones and Dependencies 

■ Risks 

■ Planning 

■ Next Steps 

■ Summary 







CBACS History 

■ Started in 2003 as NASA Smart Card Project 

■ Implementation of a multi-application, multi-technology 
Smart Card program for the Agency 

■ Issued GSA task order in November 2003 

■ Conducted NASA site surveys in February - March of 
2004 

■ During site surveys, determined that Center badging 

infrastructures were non-standard/non-compatible with 
Smart Card technology 

■ Re-directed the program to incorporate a common 
badging and access control solution for the Agency, 
known as CBACS 

■ Smart Cards for logical and physical access will be 
implemented in the final phase 



CBACS - Initial Scope - Smart Cards 


■ MISSION: (2002/2003) 

■ The Implementation of a multi-application, multi- 
technology smart card program with an Agency user 
base 

■ GOALS: 

■ To issue a common credential token (physical and 
logical identifier) that is ... . 

■ Used by NASA employees, contractors, and other 
people approved by NASA.... 

■ Who require routine access to NASA physical and 
information resources. 

■ An inter-agency Federal Identity Credential conforming 
with emerging federal policy and technical 
interoperability 


During Site Surveys, issues were determined on several fronts: 
diversity of existing PACS, need for common processes, difficulties 
in logical roll-out, and flexibility/ease of use of system 
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IDMS - Identity Management System 
CCMS - Central Card Management System 


PACS - Physical Access Control System 
PI - Person Identifier (Contained in FIC-N) 

PI = Uniform Universal Person Identifier 
(UUPIC) LDAP - Lightweight Directory Access 
Protocol 
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CBACS - Project Re-Direction 


■ MISSION (re-directed): (2004) 

■ Achieve high business value through a common 
badging and access control system that integrates with 
Smart Cards 

■ GOALS: 

■ Initially provide physical (versus logical) deployment of 
through CBACS 

■ Provides a common consistent and reliable environment 
into which to release the Smart Card 

■ Gives opportunity to develop Agency consistent 
processes, practices and policies 

■ Enables Enterprise data capture and management 

■ Promotes data validation prior to SC issuance 

■ Avoids further investment in current PACS systems 



CBACS - Description 

An Integrated Services and IT Security Environment That Fulfills NASA and 
Homeland Security Presidential Directive (HSPD-12) Requirements for: 

■NASA Identity Management System - IDMS 

• Central Authoritative Source for Personnel Identification 

• Warehouse for Personnel Security Investigation Determinations 

• Warehouse for Clearance Issuance & Uniform Universal Person Identification Code 
(UUPIC) 

■Enterprise Physical Access Control System - E-PACS 

• Software for Common Badging Application 

• Area Access Management 

• Visitor Management System (Optional) 

• Alarm Monitoring Application 

• Integrated Digital Video Recording and Archiving System 

■Smart Card Physical Access - SC 

• Hybrid Smart Card 

• Utilized with E-PACS for Physical Access 

• Provide Logical Access to NASA Computerized Systems During Final Phase of 
Implementation 

■Central Card Management System - CCMS 

• Contact and Contact-less Smart Card Encoding 

• Provides Logical Certificates to the Smart Card from the NASA CA 

• Smart Card Life Cycle Management 
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CBACS - Conceptual Drawing 
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CBACS - System Life Cycle 
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CBACS Enrollment Process 


■ Requirement 

■ HSPD-1 2 (3)“Secure and reliable forms of identification” 
that (a) is issued based on sound criteria for verifying an 
individual employee’s identity; ... issued only by providers 
whose reliability has been established by an official 
accreditation process 
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■ Enrollment Process Definition 

■ The process of issuing a card to a cardholder within the 
One NASA system is defined in four phases: 

■ Registration 

■ Verification 

■ Validation 

■ Issuance 
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CBACS Deployment 
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CBACS Major Milestones and Dependencies 


Major Milestones 


Date 


CBACS Project 
Dependencies 


Other Project 
Dependencies 


Proposed Action 


Issue One NASA 
Badge To Civil 
Servants 

July 

2005 

Badge Issuance 
Workstations 
Central Region And 
Master Server 

NISN - WAN Connectivity 
To Central Region Server 
N DC/Center Trust 
Relationship Highly 
Desirable 

Complete 

Issue One NASA 
Badge To All 
Employees Without 
WAN 

Jan 

2006 

Deploy Regional Servers 
Identity Data Integration 

N DC/Center Trust 
Relationship Desirable 
IdM Deployment 
IdM Data Integration For 
Provision Of Verified 
Identities To CBACS 
Master And Regions 

Send Requested Data 
Call To Center 
Management (OSPP And 
OCIO) 

1 Issue One NASA 

Badge With 
I Automated 
Processing 

Jan 

2006 

Workflow Definitions For 
Badge Requests 

IdM Deployment 
Workflow Development 

Document Business 
Process 

Physical Access Via 
1 One NASA Badge 
I Utilizing E-PACS 

Q4FY0J 

Regional Server 
Deployment 
E-PACS Compatible 
Backend Infrastructure 


CBACS -provided E- 
PACS Training 
Local Center 
Compatibility Review 
With Issues Noted 

Physical Access Via 
Smart Card One 
NASA Badge 

FY07 

Install Medium Assurance 
Smart Card Readers For 
Physical Access 
Install Smart Card 
Management System 

CIMS - Enterprise LDAP 
Directory 

Smart Card Badge 
Issuance Training 
Local Center 

Infrastructure Upgrade To 
New Readers 

Logical Access Via 
Smart Card One 
NASA Badge 

FY07 

Deploy Middleware For 
All Users 

Deploy Readers For All 
Users 

PKI Integration 

Coordinate With Desktop 
Providers 



People, 
Technology, & 
Information 
Working 
Together For 
NASA 


Explore. 

Discover. 

Understand. 


Page 




Critical Project Risks 

- Requirements gaps of current COTS products and scheduled 
releases 

- Availability of new technology contactless readers 

- Issuance of non-waiverable FIPS 201 and associated NIST SP 800- 
73, which define Federal standards 

- Approach for compliance with NIST identity standards in response 
to HSPD-12, including such capabilities as biometrics 

- Establishment of consistent business processes and procedures 

- Establishment of standards for Regional and Enterprise PACS 

- Definition and design of CM processes for updating E-PACS 
database fields and forms after implementation 

- Provision of identity data for the E-PACS and IDMS 

- Replacement of existing physical readers 

- NASA’s final card buy 

- Projects currently underway 
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CBACS - Planning Approach 


New Work Planning Documents 

Compliance 

Reason for not complying or N/A 

OMB Circular A-1 1 - Business Plan 

Complies 


NIST Special Publication 800-30, Risk 
Management Guide for Information 
Technology Systems 

Complies 


NIST Special Publication 800-18, Guide for 
Developing Security Plans for Information 
Technology Systems 

Complies 


NPR 7120.5C, Sections 3.2, 3.4 3.5.2, and 
| 3.5.3 

Will Comply 

Evaluation underway to ensure 
compliance 

1 NPD 8710.1, Emergency Preparedness 
I Programs 

Complies 


1 NPR 1620.1, Security Procedures and 
1 Guidelines 

Complies 


1 NPR 2810.1 Security of Information 
1 Technologies 

Complies 


1 NIST Special Publication 800-53, 

1 Recommended Security Controls for Federal 
1 Information Systems 

Final Evaluation 
Underway 


1 NPR 7150.2, NASA Software Engineering 
1 Requirements, and NASA Standard 8739.8, 
1 Software Assurance Standard 

Will Comply 

Evaluation underway to ensure 
compliance 
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Next Steps 

■ Complete Regional Server and Workstation connectivity 

■ Receive Authority To Operate (ATO) for current environment 

■ CBACS independent audit began September 1 1 for C&A in preparation 
to receive and authority to operate. Final report pending 

■ First HIGH to be evaluated using NIST 800-53 controls 

■ Compete Center-specific requirements 

■ Initiate Smart Card activities to meet HSPD-12 deadlines 

■ Updated CBACS Security Plan - NIST 800-18 

■ Update CBACS Risk Assessment Plan -- NIST 800-30 

■ Complete final design documents 

■ Stage, configure and test CCMS Server 

■ Conduct Smart Card Key Ceremony 

■ Refine communications and change management strategies 

■ Conduct CDR milestone review 



Summary - Why CBACS? 

■ One view of badging and access control 

■ One system to certify 

■ One system to secure 

■ One system to ruggadize 

■ One system to upgrade 

■ One system to measure 

■ One system to provide better information and shared 
services 

■ Re-alignment of workforce to be customer facing 

■ Processors are cheap - but these are not: 

■ Space 

■ Power 

- Installation 

- Configuration 

- Administration 

- Integration 

■ Global Policies 

- Maintenance 

■ Patching 

- Upgrades 


Reduce, consolidate, scale, and partner! 



Common Badging and Access Control System (CBACS) 


Portia Dischinger 


NASA began a Smart Card implementation in January 2004. Following site 
surveys, it was determined that NASA's badging and access control systems 
required upgrades to common infrastructure in order to provide flexibly, usability, 
and return on investment prior to a smart card implantation. CBACS provides 
the common infrastructure from which FIPS-201 compliant processes, systems, 
and credentials can be developed and used. 


